Received: by 10.192.165.156 with SMTP id m28csp49884imm;
        Tue, 10 Apr 2018 16:09:35 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+wqkPrSLMUlGZ2cByvLpZ3m4iL3iC+F9VBYkymmcAbYVVM89dfW+wjS0lxLXZwMKqSNzxR
X-Received: by 10.98.166.196 with SMTP id r65mr1961451pfl.110.1523401775784;
        Tue, 10 Apr 2018 16:09:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523401775; cv=none;
        d=google.com; s=arc-20160816;
        b=yPC52DbJ/LKYnP81tXEEOXggZbP/YZarQTrKqnhf16g95ryCHXWJhvKCiyEzg6KaUn
         a/zkKNAsmg/r6PC0XKxdPF+lwPSADhAtI49gR8YIW/S6FYsBfZ+Eu6kNNNLww9d/r9Zw
         MzlUprbG43J+1bb6OeTmozwpYV1yY7SrUfK2I1+3HbwK46qivuGRKkCk1i1syZBlKplL
         1o7+//FeP1cFx33XddG3fEFNlbQI0boePL2fZDBiS7UGG2eEcCKcB8bJF0DQQdTlnf/1
         bLaVVk5GAWOc8W0JKOmk6G7eS2M72DL0WBNIvVkQ7UoIAv/swrc6eKtUQoiVFRgCRJ96
         HuJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=i/yjlwbJzQYgtWzstrzij0iLAzvbfw6Co49Gm+5tvoI=;
        b=i8t/jMsqaVK+9jEUyO8Y1IzcCD/9v7zeCQKK1dCLQm+pWlxFfvWIefnYChI/JOsJK/
         pfz12lPaY1Tae13IaBU5+V4qvee8rMkdT23SlOakZfYEe40PiMElizvRD1d9BV80LM59
         bTvpOPRzz2oUYwl9N9E2mlEF6YjbB7Zp6HXT/PthUg4ZQB9anEdC8S+IL26dVuNbjbX5
         kGlRx6nLKQKEOw1NejSQ0+IDHsNLfN4SgCzqn8SSpWzF6j/2Pa/yS8lmCbpXFS1O5E5s
         +igGJtXVciWMwcWpjOvp9J9OPYHUPBWCNxkh8t+Byyp2+mEfylnB5G8Yj/DU9+ubru/f
         jxrw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n7si2503277pga.199.2018.04.10.16.08.59;
        Tue, 10 Apr 2018 16:09:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932199AbeDJWeu (ORCPT <rfc822;zxj546700287@gmail.com>
        + 99 others); Tue, 10 Apr 2018 18:34:50 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:41860 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932185AbeDJWer (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Apr 2018 18:34:47 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 22D9CCDB;
        Tue, 10 Apr 2018 22:34:46 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Tobias Brunner <tobias@strongswan.org>,
        Steffen Klassert <steffen.klassert@secunet.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 007/138] ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT
Date:   Wed, 11 Apr 2018 00:23:17 +0200
Message-Id: <20180410212903.008087216@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180410212902.121524696@linuxfoundation.org>
References: <20180410212902.121524696@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tobias Brunner <tobias@strongswan.org>


[ Upstream commit 09ee9dba9611cd382fd360a99ad1c2fa23bfdca8 ]

If SNAT modifies the source address the resulting packet might match
an IPsec policy, reinject the packet if that's the case.

The exact same thing is already done for IPv4.

Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_output.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -138,6 +138,14 @@ static int ip6_finish_output(struct net
 		return ret;
 	}
 
+#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
+	/* Policy lookup after SNAT yielded a new policy */
+	if (skb_dst(skb)->xfrm) {
+		IPCB(skb)->flags |= IPSKB_REROUTED;
+		return dst_output(net, sk, skb);
+	}
+#endif
+
 	if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
 	    dst_allfrag(skb_dst(skb)) ||
 	    (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))